dependabot-npm_and_yarn 0.295.0 → 0.296.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14edb941111a95dc07d83e6449c01bd3b0f4b92c4e3168acd19d31ce1fa96183
-  data.tar.gz: 0ec9a05bb2ebda169ad58028bfc2c0465ef0bbf192265f317570842f5aaa81b7
+  metadata.gz: 40c0445c84d264374459bc6e6d333d051a116ec598ae0e208536123242a2a56b
+  data.tar.gz: 208a49c91628dda0ada48108de1ef09b07b8ca7b4f12df008906689e5ad173f9
 SHA512:
-  metadata.gz: 5822f02ef7a153c079c70f91724efe53250ea696af5c0a995cfb86537be568e155344eb9cbb1481c2f2be01c080d486a0b98300dd318aa72c6271b36bd0d906e
-  data.tar.gz: 85bf7be8bb171f92b38a67d7c0b12b6c0e68056a6cdf09a0b20d8c2054517276e614e1bc7fd01bc366a53e917ba54c032ee816c977d47ca4eb11c22afda6c2ee
+  metadata.gz: c1a2bc9cfa98144e171f653efedd490ccf0eb02176c29496a5ee288d83a54b83f8390e3a7d67b98fa544ef3f5e4074080101d8115414fdc34cb4c3ec075a2f25
+  data.tar.gz: da594bed80a0ad0c2e0fef360bb026f176020c0edc1c665e4e4823f882edd72e85e07a52b5a2036c78620f0889a0e050d0342462b21f6671a8d6daaa5976cbb3

data/lib/dependabot/npm_and_yarn/constraint_helper.rb

@@ -8,30 +8,51 @@ module Dependabot
     module ConstraintHelper
       extend T::Sig
 
-      INVALID = "invalid" # Invalid constraint
       # Regex Components for Semantic Versioning
       DIGIT = "\\d+"                             # Matches a single number (e.g., "1")
       PRERELEASE = "(?:-[a-zA-Z0-9.-]+)?"        # Matches optional pre-release tag (e.g., "-alpha")
       BUILD_METADATA = "(?:\\+[a-zA-Z0-9.-]+)?"  # Matches optional build metadata (e.g., "+001")
-      DOT = "\\."                                # Matches a literal dot "."
 
       # Matches semantic versions:
       VERSION = T.let("#{DIGIT}(?:\\.#{DIGIT}){0,2}#{PRERELEASE}#{BUILD_METADATA}".freeze, String)
 
-      VERSION_REGEX = T.let(/\A#{VERSION}\z/o, Regexp)
+      VERSION_REGEX = T.let(/^#{VERSION}$/, Regexp)
 
-      # SemVer regex: major.minor.patch[-prerelease][+build]
-      SEMVER_REGEX = /^(?<version>\d+\.\d+\.\d+)(?:-(?<prerelease>[a-zA-Z0-9.-]+))?(?:\+(?<build>[a-zA-Z0-9.-]+))?$/
+      # Base regex for SemVer (major.minor.patch[-prerelease][+build])
+      # This pattern extracts valid semantic versioning strings based on the SemVer 2.0 specification.
+      SEMVER_REGEX = T.let(/
+        (?<version>\d+\.\d+\.\d+)               # Match major.minor.patch (e.g., 1.2.3)
+        (?:-(?<prerelease>[a-zA-Z0-9.-]+))?     # Optional prerelease (e.g., -alpha.1, -rc.1, -beta.5)
+        (?:\+(?<build>[a-zA-Z0-9.-]+))?         # Optional build metadata (e.g., +build.20231101, +exp.sha.5114f85)
+      /x, Regexp)
+
+      # Full SemVer validation regex (ensures the entire string is a valid SemVer)
+      # This ensures the entire input strictly follows SemVer, without extra characters before/after.
+      SEMVER_VALIDATION_REGEX = T.let(/^#{SEMVER_REGEX}$/, Regexp)
+
+      # SemVer constraint regex (supports package.json version constraints)
+      # This pattern ensures proper parsing of SemVer versions with optional operators.
+      SEMVER_CONSTRAINT_REGEX = T.let(/
+        (?: (>=|<=|>|<|=|~|\^)\s*)?  # Make operators optional (e.g., >=, ^, ~)
+        (\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)  # Match full SemVer versions
+        | (\*|latest) # Match wildcard (*) or 'latest'
+      /x, Regexp)
+
+      # /(>=|<=|>|<|=|~|\^)\s*(\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)|(\*|latest)/
+
+      SEMVER_OPERATOR_REGEX = /^(>=|<=|>|<|~|\^|=)$/
 
       # Constraint Types as Constants
-      CARET_CONSTRAINT_REGEX = T.let(/^\^(#{VERSION})$/, Regexp)
-      TILDE_CONSTRAINT_REGEX = T.let(/^~(#{VERSION})$/, Regexp)
-      EXACT_CONSTRAINT_REGEX = T.let(/^(#{VERSION})$/, Regexp)
-      GREATER_THAN_EQUAL_REGEX = T.let(/^>=(#{VERSION})$/, Regexp)
-      LESS_THAN_EQUAL_REGEX = T.let(/^<=(#{VERSION})$/, Regexp)
-      GREATER_THAN_REGEX = T.let(/^>(#{VERSION})$/, Regexp)
-      LESS_THAN_REGEX = T.let(/^<(#{VERSION})$/, Regexp)
+      CARET_CONSTRAINT_REGEX = T.let(/^\^\s*(#{VERSION})$/, Regexp)
+      TILDE_CONSTRAINT_REGEX = T.let(/^~\s*(#{VERSION})$/, Regexp)
+      EXACT_CONSTRAINT_REGEX = T.let(/^\s*(#{VERSION})$/, Regexp)
+      GREATER_THAN_EQUAL_REGEX = T.let(/^>=\s*(#{VERSION})$/, Regexp)
+      LESS_THAN_EQUAL_REGEX = T.let(/^<=\s*(#{VERSION})$/, Regexp)
+      GREATER_THAN_REGEX = T.let(/^>\s*(#{VERSION})$/, Regexp)
+      LESS_THAN_REGEX = T.let(/^<\s*(#{VERSION})$/, Regexp)
       WILDCARD_REGEX = T.let(/^\*$/, Regexp)
+      LATEST_REGEX = T.let(/^latest$/, Regexp)
+      SEMVER_CONSTANTS = ["*", "latest"].freeze
 
       # Unified Regex for Valid Constraints
       VALID_CONSTRAINT_REGEX = T.let(Regexp.union(
@@ -42,43 +63,10 @@ module Dependabot
         LESS_THAN_EQUAL_REGEX,
         GREATER_THAN_REGEX,
         LESS_THAN_REGEX,
-        WILDCARD_REGEX
+        WILDCARD_REGEX,
+        LATEST_REGEX
       ).freeze, Regexp)
 
-      # Validates if the provided semver constraint expression from a `package.json` is valid.
-      # A valid semver constraint expression in `package.json` can consist of multiple groups
-      # separated by logical OR (`||`). Within each group, space-separated constraints are treated
-      # as logical AND. Each individual constraint must conform to the semver rules defined in
-      # `VALID_CONSTRAINT_REGEX`.
-      #
-      # Example (valid `package.json` semver constraints):
-      #   ">=1.2.3 <2.0.0 || ~3.4.5" → Valid (space-separated constraints are AND, `||` is OR)
-      #   "^1.0.0 || >=2.0.0 <3.0.0" → Valid (caret and range constraints combined)
-      #   "1.2.3" → Valid (exact version)
-      #   "*" → Valid (wildcard allows any version)
-      #
-      # Example (invalid `package.json` semver constraints):
-      #   ">=1.2.3 && <2.0.0" → Invalid (`&&` is not valid in semver)
-      #   ">=x.y.z" → Invalid (non-numeric version parts are not valid)
-      #   "1.2.3 ||" → Invalid (trailing OR operator)
-      #
-      # @param constraint_expression [String] The semver constraint expression from `package.json` to validate.
-      # @return [T::Boolean] Returns true if the constraint expression is valid semver, false otherwise.
-      sig { params(constraint_expression: T.nilable(String)).returns(T::Boolean) }
-      def self.valid_constraint_expression?(constraint_expression)
-        normalized_constraint = constraint_expression&.strip
-
-        # Treat nil or empty input as valid (no constraints)
-        return true if normalized_constraint.nil? || normalized_constraint.empty?
-
-        # Split the expression by logical OR (`||`) into groups
-        normalized_constraint.split("||").reject(&:empty?).all? do |or_group|
-          or_group.split(/\s+/).reject(&:empty?).all? do |and_constraint|
-            and_constraint.match?(VALID_CONSTRAINT_REGEX)
-          end
-        end
-      end
-
       # Extract unique constraints from the given constraint expression.
       # @param constraint_expression [T.nilable(String)] The semver constraint expression.
       # @return [T::Array[String]] The list of unique Ruby-compatible constraints.
@@ -89,17 +77,92 @@ module Dependabot
         )
           .returns(T.nilable(T::Array[String]))
       end
-      def self.extract_constraints(constraint_expression, dependabot_versions = nil)
-        normalized_constraint = constraint_expression&.strip
-        return [] if normalized_constraint.nil? || normalized_constraint.empty?
-
-        parsed_constraints = parse_constraints(normalized_constraint, dependabot_versions)
+      def self.extract_ruby_constraints(constraint_expression, dependabot_versions = nil)
+        parsed_constraints = parse_constraints(constraint_expression, dependabot_versions)
 
         return nil unless parsed_constraints
 
         parsed_constraints.filter_map { |parsed| parsed[:constraint] }
       end
 
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(constraint_expression: T.nilable(String))
+          .returns(T.nilable(T::Array[String]))
+      end
+      def self.split_constraints(constraint_expression)
+        normalized_constraint = constraint_expression&.strip
+        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+
+        # Split constraints by logical OR (`||`)
+        constraint_groups = normalized_constraint.split("||")
+
+        # Split constraints by logical AND (`,`)
+        constraint_groups = constraint_groups.map do |or_constraint|
+          or_constraint.split(",").map(&:strip)
+        end.flatten
+
+        constraint_groups = constraint_groups.map do |constraint|
+          tokens = constraint.split(/\s+/).map(&:strip)
+
+          and_constraints = []
+
+          previous = T.let(nil, T.nilable(String))
+          operator = T.let(false, T.nilable(T::Boolean))
+          wildcard = T.let(false, T::Boolean)
+
+          tokens.each do |token|
+            token = token.strip
+            next if token.empty?
+
+            # Invalid constraint if wildcard and anything else
+            return nil if wildcard
+
+            # If token is one of the operators (>=, <=, >, <, ~, ^, =)
+            if token.match?(SEMVER_OPERATOR_REGEX)
+              wildcard = false
+              operator = true
+            # If token is wildcard or latest
+            elsif token.match?(/(\*|latest)/)
+              and_constraints << token
+              wildcard = true
+              operator = false
+            # If token is exact version (e.g., "1.2.3")
+            elsif token.match(VERSION_REGEX)
+              and_constraints << if operator
+                                   "#{previous}#{token}"
+                                 else
+                                   token
+                                 end
+              wildcard = false
+              operator = false
+            # If token is a valid constraint (e.g., ">=1.2.3", "<=2.0.0")
+            elsif token.match(VALID_CONSTRAINT_REGEX)
+              return nil if operator
+
+              and_constraints << token
+
+              wildcard = false
+              operator = false
+            else
+              # invalid constraint
+              return nil
+            end
+            previous = token
+          end
+          and_constraints.uniq
+        end.flatten
+        constraint_groups if constraint_groups.any?
+      end
+
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+
       # Find the highest version from the given constraint expression.
       # @param constraint_expression [T.nilable(String)] The semver constraint expression.
       # @return [T.nilable(String)] The highest version, or nil if no versions are available.
@@ -111,10 +174,7 @@ module Dependabot
           .returns(T.nilable(String))
       end
       def self.find_highest_version_from_constraint_expression(constraint_expression, dependabot_versions = nil)
-        normalized_constraint = constraint_expression&.strip
-        return nil if normalized_constraint.nil? || normalized_constraint.empty?
-
-        parsed_constraints = parse_constraints(normalized_constraint, dependabot_versions)
+        parsed_constraints = parse_constraints(constraint_expression, dependabot_versions)
 
         return nil unless parsed_constraints
 
@@ -136,20 +196,11 @@ module Dependabot
           .returns(T.nilable(T::Array[T::Hash[Symbol, T.nilable(String)]]))
       end
       def self.parse_constraints(constraint_expression, dependabot_versions = nil)
-        normalized_constraint = constraint_expression&.strip
-
-        # Return an empty array for valid "no constraints" (nil or empty input)
-        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+        splitted_constraints = split_constraints(constraint_expression)
 
-        # Return nil for invalid constraints
-        return nil unless valid_constraint_expression?(normalized_constraint)
+        return unless splitted_constraints
 
-        # Parse valid constraints
-        constraints = normalized_constraint.split("||").flat_map do |or_group|
-          or_group.strip.split(/\s+/).map(&:strip)
-        end.then do |normalized_constraints| # rubocop:disable Style/MultilineBlockChain
-          to_ruby_constraints_with_versions(normalized_constraints, dependabot_versions)
-        end.uniq { |parsed| parsed[:constraint] } # Ensure uniqueness based on `:constraint` # rubocop:disable Style/MultilineBlockChain
+        constraints = to_ruby_constraints_with_versions(splitted_constraints, dependabot_versions)
         constraints
       end
 
@@ -162,7 +213,7 @@ module Dependabot
       def self.to_ruby_constraints_with_versions(constraints, dependabot_versions = [])
         constraints.filter_map do |constraint|
           parsed = to_ruby_constraint_with_version(constraint, dependabot_versions)
-          parsed if parsed && parsed[:constraint] # Only include valid constraints
+          parsed if parsed
         end.uniq
       end
 
@@ -258,8 +309,10 @@ module Dependabot
             version < Version.new(constraint_version)
           end
           { constraint: "<#{Regexp.last_match(1)}", version: found_version&.to_s }
-        when WILDCARD_REGEX # Wildcard
-          { constraint: nil, version: dependabot_versions&.max&.to_s } # Explicitly valid but no specific constraint
+        when WILDCARD_REGEX # No specific constraint, resolves to the highest available version
+          { constraint: nil, version: dependabot_versions&.max&.to_s }
+        when LATEST_REGEX
+          { constraint: nil, version: dependabot_versions&.max&.to_s } # Resolves to the latest available version
         end
       end
 
@@ -292,7 +345,7 @@ module Dependabot
       def self.version_components(full_version)
         return [] if full_version.nil?
 
-        match = full_version.match(SEMVER_REGEX)
+        match = full_version.match(SEMVER_VALIDATION_REGEX)
         return [] unless match
 
         version = match[:version]

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -342,6 +342,11 @@ module Dependabot
           fetch_support_file(PNPMPackageManager::PNPM_WS_YML_FILENAME),
           T.nilable(DependencyFile)
         )
+
+        # Only fetch from parent directories if the file wasn't found initially
+        @pnpm_workspace_yaml ||= fetch_file_from_parent_directories(PNPMPackageManager::PNPM_WS_YML_FILENAME)
+
+        @pnpm_workspace_yaml
       end
 
       sig { returns(T.nilable(DependencyFile)) }

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -59,7 +59,7 @@ module Dependabot
         dependency_set = DependencySet.new
         dependency_set += manifest_dependencies
         dependency_set += lockfile_dependencies
-        dependency_set += workspace_catalog_dependencies if enable_pnpm_workspace_catalog?
+        dependency_set += workspace_catalog_dependencies if pnpm_workspace_yml
 
         dependencies = Helpers.dependencies_with_all_versions_metadata(dependency_set)
 
@@ -94,11 +94,6 @@ module Dependabot
 
       private
 
-      sig { returns(T.nilable(T::Boolean)) }
-      def enable_pnpm_workspace_catalog?
-        pnpm_workspace_yml && Dependabot::Experiments.enabled?(:enable_pnpm_workspace_catalog)
-      end
-
       sig { returns(PackageManagerHelper) }
       def package_manager_helper
         @package_manager_helper ||= T.let(

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -11,11 +11,15 @@ module Dependabot
       class PackageJsonUpdater
         extend T::Sig
 
+        LOCAL_PACKAGE = T.let([/portal:/, /file:/].freeze, T::Array[Regexp])
+
+        PATCH_PACKAGE = T.let([/patch:/].freeze, T::Array[Regexp])
+
         sig do
           params(
             package_json: Dependabot::DependencyFile,
             dependencies: T::Array[Dependabot::Dependency]
-          ) .void
+          ).void
         end
         def initialize(package_json:, dependencies:)
           @package_json = package_json
@@ -115,6 +119,8 @@ module Dependabot
         def updated_requirements(dependency)
           return unless dependency.previous_requirements
 
+          preliminary_check_for_update(dependency)
+
           updated_requirement_pairs =
             dependency.requirements.zip(T.must(dependency.previous_requirements))
                       .reject do |new_req, old_req|
@@ -341,6 +347,31 @@ module Dependabot
 
           0
         end
+
+        sig { params(dependency: Dependabot::Dependency).void }
+        def preliminary_check_for_update(dependency)
+          T.must(dependency.previous_requirements).each do |req, _dep|
+            next if req.fetch(:requirement).nil?
+
+            # some deps are patched with local patches, we don't need to update them
+            if req.fetch(:requirement).match?(Regexp.union(PATCH_PACKAGE))
+              Dependabot.logger.info("Func: updated_requirements. dependency patched #{dependency.name}," \
+                                     " Requirement: '#{req.fetch(:requirement)}'")
+
+              raise DependencyFileNotResolvable,
+                    "Dependency is patched locally, Update not required."
+            end
+
+            # some deps are added as local packages, we don't need to update them as they are referred to a local path
+            next unless req.fetch(:requirement).match?(Regexp.union(LOCAL_PACKAGE))
+
+            Dependabot.logger.info("Func: updated_requirements. local package #{dependency.name}," \
+                                   " Requirement: '#{req.fetch(:requirement)}'")
+
+            raise DependencyFileNotResolvable,
+                  "Local package, Update not required."
+          end
+        end
       end
     end
   end

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -24,11 +24,14 @@ module Dependabot
           )
         end
 
-        def updated_pnpm_lock_content(pnpm_lock)
+        def updated_pnpm_lock_content(pnpm_lock, updated_pnpm_workspace_content: nil)
           @updated_pnpm_lock_content ||= {}
           return @updated_pnpm_lock_content[pnpm_lock.name] if @updated_pnpm_lock_content[pnpm_lock.name]
 
-          new_content = run_pnpm_update(pnpm_lock: pnpm_lock)
+          new_content = run_pnpm_update(
+            pnpm_lock: pnpm_lock,
+            updated_pnpm_workspace_content: updated_pnpm_workspace_content
+          )
           @updated_pnpm_lock_content[pnpm_lock.name] = new_content
         rescue SharedHelpers::HelperSubprocessFailed => e
           handle_pnpm_lock_updater_error(e, pnpm_lock)
@@ -100,14 +103,17 @@ module Dependabot
         # Peer dependencies configuration error
         ERR_PNPM_PEER_DEP_ISSUES = /ERR_PNPM_PEER_DEP_ISSUES/
 
-        def run_pnpm_update(pnpm_lock:)
+        def run_pnpm_update(pnpm_lock:, updated_pnpm_workspace_content: nil)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
-              run_pnpm_update_packages
-
-              write_final_package_json_files
+              if updated_pnpm_workspace_content
+                File.write("pnpm-workspace.yaml", updated_pnpm_workspace_content["pnpm-workspace.yaml"])
+              else
+                run_pnpm_update_packages
+                write_final_package_json_files
+              end
 
               run_pnpm_install
 
@@ -140,11 +146,15 @@ module Dependabot
           )
         end
 
+        def workspace_files
+          @workspace_files ||= dependency_files.select { |f| f.name.end_with?("pnpm-workspace.yaml") }
+        end
+
         def lockfile_dependencies(lockfile)
           @lockfile_dependencies ||= {}
           @lockfile_dependencies[lockfile.name] ||=
             NpmAndYarn::FileParser.new(
-              dependency_files: [lockfile, *package_files],
+              dependency_files: [lockfile, *package_files, *workspace_files],
               source: nil,
               credentials: credentials
             ).parse

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -50,32 +50,21 @@ module Dependabot
         ]
       end
 
-      # rubocop:disable Metrics/PerceivedComplexity
       sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
         updated_files = T.let([], T::Array[DependencyFile])
 
         updated_files += updated_manifest_files
-        if Dependabot::Experiments.enabled?(:enable_pnpm_workspace_catalog)
-          updated_files += updated_pnpm_workspace_files
-        end
-        updated_files += updated_lockfiles
+        updated_files += if pnpm_workspace.any?
+                           update_pnpm_workspace_and_locks
+                         else
+                           updated_lockfiles
+                         end
 
         if updated_files.none?
-
-          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
-            # when all dependencies are transitive
-            all_transitive = dependencies.none?(&:top_level?)
-            # when there is no update in package.json
-            no_package_json_update = package_files.empty?
-            # handle the no change error for transitive dependency updates
-            if pnpm_locks.any? && dependencies.length.positive? && all_transitive && no_package_json_update
-              raise ToolFeatureNotSupported.new(
-                tool_name: "pnpm",
-                tool_type: "package_manager",
-                feature: "updating transitive dependencies"
-              )
-            end
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error) && original_pnpm_locks.any?
+            raise_tool_not_supported_for_pnpm_if_transitive
+            raise_miss_configured_tooling_if_pnpm_subdirectory
           end
 
           raise NoChangeError.new(
@@ -94,10 +83,69 @@ module Dependabot
 
         vendor_updated_files(updated_files)
       end
-      # rubocop:enable Metrics/PerceivedComplexity
 
       private
 
+      sig { void }
+      def raise_tool_not_supported_for_pnpm_if_transitive
+        # ✅ Ensure there are dependencies and check if all are transitive
+        return if dependencies.empty? || dependencies.any?(&:top_level?)
+
+        raise ToolFeatureNotSupported.new(
+          tool_name: "pnpm",
+          tool_type: "package_manager",
+          feature: "updating transitive dependencies"
+        )
+      end
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { void }
+      def raise_miss_configured_tooling_if_pnpm_subdirectory
+        workspace_files = original_pnpm_workspace
+        lockfiles = original_pnpm_locks
+
+        # ✅ Ensure `pnpm-workspace.yaml` is in a parent directory
+        return if workspace_files.empty?
+        return if workspace_files.any? { |f| f.directory == "/" }
+        return unless workspace_files.all? { |f| f.name.end_with?("../pnpm-workspace.yaml") }
+
+        # ✅ Ensure `pnpm-lock.yaml` is also in a parent directory
+        return if lockfiles.empty?
+        return if lockfiles.any? { |f| f.directory == "/" }
+        return unless lockfiles.all? { |f| f.name.end_with?("../pnpm-lock.yaml") }
+
+        # ❌ Raise error → Updating inside a subdirectory is misconfigured
+        raise MisconfiguredTooling.new(
+          "pnpm",
+          "Updating workspaces from inside a workspace subdirectory is not supported. " \
+          "Both `pnpm-lock.yaml` and `pnpm-workspace.yaml` exist in a parent directory. " \
+          "Dependabot should only update from the root workspace."
+        )
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def update_pnpm_workspace_and_locks
+        workspace_updates = updated_pnpm_workspace_files
+        lock_updates = update_pnpm_locks
+
+        workspace_updates + lock_updates
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def update_pnpm_locks
+        updated_files = []
+        pnpm_locks.each do |pnpm_lock|
+          next unless pnpm_lock_changed?(pnpm_lock)
+
+          updated_files << updated_file(
+            file: pnpm_lock,
+            content: updated_pnpm_lock_content(pnpm_lock)
+          )
+        end
+        updated_files
+      end
+
       sig { params(updated_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
       def vendor_updated_files(updated_files)
         base_dir = T.must(updated_files.first).directory
@@ -222,6 +270,24 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def original_pnpm_locks
+        @original_pnpm_locks ||= T.let(
+          dependency_files
+          .select { |f| f.name.end_with?("pnpm-lock.yaml") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def original_pnpm_workspace
+        @original_pnpm_workspace ||= T.let(
+          dependency_files
+          .select { |f| f.name.end_with?("pnpm-workspace.yaml") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def bun_locks
         @bun_locks ||= T.let(
@@ -294,8 +360,6 @@ module Dependabot
         end
       end
 
-      # rubocop:disable Metrics/MethodLength
-      # rubocop:disable Metrics/PerceivedComplexity
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def updated_lockfiles
         updated_files = []
@@ -309,14 +373,7 @@ module Dependabot
           )
         end
 
-        pnpm_locks.each do |pnpm_lock|
-          next unless pnpm_lock_changed?(pnpm_lock)
-
-          updated_files << updated_file(
-            file: pnpm_lock,
-            content: updated_pnpm_lock_content(pnpm_lock)
-          )
-        end
+        updated_files.concat(update_pnpm_locks)
 
         bun_locks.each do |bun_lock|
           next unless bun_lock_changed?(bun_lock)
@@ -347,9 +404,6 @@ module Dependabot
 
         updated_files
       end
-      # rubocop:enable Metrics/MethodLength
-      # rubocop:enable Metrics/PerceivedComplexity
-
       sig { params(yarn_lock: Dependabot::DependencyFile).returns(String) }
       def updated_yarn_lock_content(yarn_lock)
         @updated_yarn_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
@@ -361,7 +415,10 @@ module Dependabot
       def updated_pnpm_lock_content(pnpm_lock)
         @updated_pnpm_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
         @updated_pnpm_lock_content[pnpm_lock.name] ||=
-          pnpm_lockfile_updater.updated_pnpm_lock_content(pnpm_lock)
+          pnpm_lockfile_updater.updated_pnpm_lock_content(
+            pnpm_lock,
+            updated_pnpm_workspace_content: @updated_pnpm_workspace_content
+          )
       end
 
       sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -467,6 +467,8 @@ module Dependabot
       # Attempt to activate the local version of the package manager
       sig { params(name: String).void }
       def self.fallback_to_local_version(name)
+        return "Corepack does not support #{name}" unless corepack_supported_package_manager?(name)
+
         Dependabot.logger.info("Falling back to activate the currently installed version of #{name}.")
 
         # Fetch the currently installed version directly from the environment
@@ -553,6 +555,11 @@ module Dependabot
         result
       rescue StandardError => e
         Dependabot.logger.error("Error running package manager command: #{full_command}, Error: #{e.message}")
+        if e.message.match?(/Response Code.*:.*404.*\(Not Found\)/) &&
+           e.message.include?("The remote server failed to provide the requested resource")
+          raise RegistryError.new(404, "The remote server failed to provide the requested resource")
+        end
+
         raise
       end
 

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -189,8 +189,10 @@ module Dependabot
         @language_requirement ||= find_engine_constraints_as_requirement(Language::NAME)
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
       sig { params(name: String).returns(T.nilable(Requirement)) }
-      def find_engine_constraints_as_requirement(name) # rubocop:disable Metrics/PerceivedComplexity
+      def find_engine_constraints_as_requirement(name)
         Dependabot.logger.info("Processing engine constraints for #{name}")
 
         return nil unless @engines.is_a?(Hash) && @engines[name]
@@ -199,8 +201,7 @@ module Dependabot
         return nil if raw_constraint.empty?
 
         if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
-          constraints = ConstraintHelper.extract_constraints(raw_constraint)
-
+          constraints = ConstraintHelper.extract_ruby_constraints(raw_constraint)
           # When constraints are invalid we return constraints array nil
           if constraints.nil?
             Dependabot.logger.warn(
@@ -225,12 +226,16 @@ module Dependabot
 
         end
 
-        Dependabot.logger.info("Parsed constraints for #{name}: #{constraints.join(', ')}")
-        Requirement.new(constraints)
+        if constraints && !constraints.empty?
+          Dependabot.logger.info("Parsed constraints for #{name}: #{constraints.join(', ')}")
+          Requirement.new(constraints)
+        end
       rescue StandardError => e
         Dependabot.logger.error("Error processing constraints for #{name}: #{e.message}")
         nil
       end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
 
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/AbcSize
@@ -412,10 +417,15 @@ module Dependabot
 
         Dependabot.logger.info("Installing \"#{name}@#{version}\"")
 
-        SharedHelpers.run_shell_command(
-          "corepack install #{name}@#{version} --global --cache-only",
-          fingerprint: "corepack install <name>@<version> --global --cache-only"
-        )
+        begin
+          SharedHelpers.run_shell_command(
+            "corepack install #{name}@#{version} --global --cache-only",
+            fingerprint: "corepack install <name>@<version> --global --cache-only"
+          )
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          Dependabot.logger.error("Error installing #{name}@#{version}: #{e.message}")
+          Helpers.fallback_to_local_version(name)
+        end
       end
 
       sig { params(name: T.nilable(String)).returns(String) }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.295.0
+  version: 0.296.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-30 00:00:00.000000000 Z
+date: 2025-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.295.0
+        version: 0.296.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.295.0
+        version: 0.296.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -356,7 +356,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.295.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.296.0
 post_install_message:
 rdoc_options: []
 require_paths: